Blackworm to destroy word, excel, power point, pdf, and other files on Friday (2/3/06)

A nasty worm is currently spreading right now and is set to start deleting files on Friday (2/3). I don't normally like to provide advice on specific security threats, however, I believe that consequences of infection in this case are severe enough that it warrants the warning.

Here is what I believe to be the relevant information regarding the worm:

A relatively new worm, called "Blackworm," "MyWife," "CM-24," "Blackmal," "Nyxem" and/or "Tearec," is set to start destroying common file types (DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP) of infected system on February 3rd. These file types include common MS Office applications including Word, Excel, Power Point and Adobe's PDF files. The date of destruction is based on clock of the individual computer, so systems with incorrect date settings will be affected on 2/3/06 according to their internal date settings. The worm actually will keep destroying these file types on the 3rd day of each month until it is removed and the first systems to be infected have already documented that they lost data on January 3rd, 2006. Once the computer is infected, the worm propagates itself through mass emailing any addresses found on the system and copying itself onto any writeable network shares.

There currently are no patches available but the most common anti-virus software can detect and remove or neutralize the worm if it is up to date. Anti-virus software updated after January 23rd, 2006 should be okay, however, I strongly recommend verifying that your anti-virus software is up to date with the appropriate signature from the listed I've provided below. Furthermore, I recommend that that all windows based systems, with critical data stored in any of the affected file formats, should be scanned before February 3rd at 12:00am. If you are not currently using an anti-virus software, I would consider purchasing a commercial solution now or using ClamWin (ClamAV for Windows), which is an excellent open source tool that can be downloaded here:

http://www.clamwin.com/content/view/18/46/

AVG and TrendMicro also offer limited versions of their anti-virus software free.

I've also included links to the Microsoft security advisory, manual removal steps and Snort signatures below.

Microsoft Security Advisory

http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm

If your computer is infected, Microsoft has provided these manual removal instructions:

Manual Recovery Steps Provided by Microsoft

First, reboot your computer. This will force the worm into a known configuration where it can be stopped.

Using task manager, look for any of the following process names and kill them if present:
Update.exe
Winzip.exe
scanregw.exe
WINZIP_TMP.exe
"Winzip Quick Pick.exe"

Delete the following files if present on your system:
C:\WINZIP_TMP.exe
%windir%\WINZIP_TMP.exe
%windir%\system32\Winzip.exe
%windir%\system32\Update.exe
%windir%\system32\scanregw.exe
"C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"

Note that the files under %windir%\system32 will be marked read-only and hidden. To delete these from the command prompt, use (for example):
del /f /a:h %windir%\system32\Winzip.exe

Using regedit, delete the following registry value:
'ScanRegistry' under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Contents will look like: scanregw.exe /scan)

Reboot your computer, and using Task Manager, verify that none of the processes mentioned above are running.

Anti-Virus Signatures

Authentium W32/Kapser.A@mm
AntiVir Worm/KillAV.GR
Avast! Win32:VB-CD [Wrm]
AVG Worm/Generic.FX
BitDefender Win32.Worm.P2P.ABM
ClamAV Worm.VB-8
Command W32/Kapser.A@mm (exact)
Dr Web Win32.HLLM.Generic.391
eSafe Win32.VB.bi
eTrust-INO Win32/Blackmal.F!Worm
eTrust-VET Win32/Blackmal.F
Ewido Worm.VB.bi
F-Prot W32/Kapser.A@mm (exact)
F-Secure Email-Worm.Win32.Nyxem.e
Fortinet W32/Grew.A!wm
Ikarus Email-Worm.Win32.VB.BI
Kaspersky Email-Worm.Win32.Nyxem.e
McAfee W32/MyWife.d@MM
Nod32 Win32/VB.NEI worm
Norman W32/Small.KI (W32/Small.KI@mm)
Panda W32/Tearec.A.worm (W32/MyWife.E.Worm)
QuickHeal I-Worm.Nyxem.e
Sophos W32/Nyxem-D
Symantec W32.Blackmal.E@mm
Trend Micro WORM_GREW.A (Worm_BLUEWORM.E)
VBA32 Email-Worm.Win32.VB.b
VirusBuster Worm.P2P.VB.CIL

Snort Signaures

Joe Stewart of LURHQ provided the following snort signatures based on his analysis of the worm: (for up to date rules, see bleedingsnort.org.

This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:
#by Joe Stewart at LURHQ, tweaks by Matt Jonkman

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE VIRUS webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm/Nyxem infection)";
content:"GET /cgi-bin/Count.cgi?"; depth:23; content:"df="; within:20;
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:2002788; rev:2;)

This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"BLEEDING-EDGE VIRUS Agentless HTTP request to www.microsoft.com
(possible BlackWorm/Nyxem infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
classtype:misc-activity; sid:2002789; rev:1;)

These signatures detect the payload of Nyxem_D aka CME-24. Same sig is swapped for outbound vs. inbound detection. Robert Danford

#Submitted 2006-01-17 by Mark Tombaugh

alert tcp $EXTERNAL_NET any -> $HOME_NET 25
(msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP inbound";
flow:established,to_server; content:"YmVnaW4gNjY0I";
content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31;
within:31; classtype:trojan-activity;

reference url:
www.sophos.com/virusinfo/analyses/w32nyxemd.html;
sid: 2002779; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 25
(msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP outbound";
flow:established,to_server; content:"YmVnaW4gNjY0I";
content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31;
within:31; classtype:trojan-activity;

reference url:
www.sophos.com/virusinfo/analyses/w32nyxemd.html;
sid: 2002778; rev:1;)